b"May 2005\nReport No. 05-018\n\n\nImplementation of E-Government\nPrinciples\n\n\n\n\n             AUDIT REPORT\n\x0c                                                                               Audit Report No. 05-018\n                                                                                             May 2005\n\n\n\n                                        Implementation of E-Government Principles\n                                        Results of Audit\nBackground and Purpose                  The FDIC has made progress in implementing various initiatives that are\nof Audit                                consistent with E-Government principles and implementing guidance\n                                        from OMB. In addition, the Corporation has taken steps to develop a\nE-Government is generally defined       comprehensive E-Government strategic plan that will be linked to\nas the use of Internet-based            associated corporate goals and objectives in areas addressed by OMB\xe2\x80\x99s\ntechnologies by government              Scorecard and the E-Government Act guidance. Absent such a strategic\nagencies to provide information and     plan, with appropriate linkages to corporate goals and objectives, the\nservices to citizens, businesses, and   FDIC risked not efficiently and effectively planning, coordinating, and\nother governmental agencies. In         implementing E-Government initiatives.\n2001, the President initiated several\ngovernment reform efforts,\n                                        During our review, the Corporation established a Corporate Performance\ncollectively known as the\n                                        Objective in December 2004 to develop and implement a new\nPresident\xe2\x80\x99s Management Agenda\n                                        E-Government strategy. The strategy will promote a paperless corporate\n(PMA), to make the federal\ngovernment more results-oriented,       environment in which the majority of transactions and data and document\nefficient, and citizen-centered.        storage are handled electronically. The FDIC also established a working\n                                        group that has developed a draft project plan to guide development of the\nExpanded E-Government is one            E-Government strategic plan. At this time, the draft project plan does not\ninitiative in the PMA. The goals of     specifically address either performance measures or desired outcomes for\nthe PMA and E-Government                the E-Government initiatives.\ninitiatives are to eliminate\nredundant systems and significantly     After we completed our review, the Corporation established a milestone\nimprove the government\xe2\x80\x99s quality        of December 31, 2005 for the approval of a new E-Government strategic\nof customer service for citizens and    plan.\nbusinesses. The Office of\nManagement and Budget (OMB) is          Recommendations and Management Response\nusing its Executive Branch\nManagement Scorecard (Scorecard)        The actions taken by the Corporation during and after our review,\nto measure agency success in            together with planned actions, adequately address our finding. Thus, we\nexecuting E-Government initiatives.     are not making any recommendations. We suggest, however, that in\n                                        completing the new E-Government strategic plan, the Corporation be\nThe original audit objective was to\n                                        mindful of OMB\xe2\x80\x99s guidance that E-Government performance measures\ndetermine whether the FDIC\n                                        must be linked to the Corporation\xe2\x80\x99s Annual Performance Plan and\n(1) adequately implemented\nE-Government principles in its          Strategic Plan and desired outcomes of E-Government initiatives must be\noperations and information              identified.\nexchange with insured financial\ninstitutions and (2) complied with       Expanded E-Government Areas Monitored by OMB\napplicable portions of Government\nPaperwork Elimination Act.               \xe2\x80\xa2  Establishment of an Enterprise Architecture\nHowever, we limited our work to          \xe2\x80\xa2  Preparation of Business Cases for Major Systems\nobtaining an understanding of the            Investments\nFDIC\xe2\x80\x99s progress on E-Government          \xe2\x80\xa2 Remediation of Security Weaknesses\ninitiatives because the FDIC had\nnot yet developed a comprehensive\n                                         \xe2\x80\xa2 Certification and Accreditation of Systems\nE-Government strategic plan.             \xe2\x80\xa2 Establishment of a Process and Plan for Implementing\n                                             E-Government Initiatives\n                                         Source: OMB\xe2\x80\x99s Scorecard.\n\x0c                           TABLE OF CONTENTS\n\n\nBACKGROUND                                                        1\n\nRESULTS OF AUDIT                                                  4\n\nTHE FDIC\xe2\x80\x99S PROGRESS IN IMPLEMENTING                               4\nE-GOVERNMENT\n    Enterprise Architecture                                       4\n    Business Cases for Major Systems Investments                  6\n    Remediation of Security Weaknesses                            6\n    Certification and Accreditation of Systems                    7\n    Other Corporate Efforts to Promote E-Government               8\n    Process and Plan for Implementing E-Government Initiatives    9\n    Conclusion                                                   10\n\nCORPORATION COMMENTS AND OIG EVALUATION                          11\n\nAPPENDIX I: OBJECTIVE, SCOPE, AND METHODOLOGY                    12\n\nAPPENDIX II: EXPANDED ELECTRONIC GOVERNMENT                      14\n\n\nFIGURE\n    The FDIC\xe2\x80\x99s Enterprise Architecture Framework                  5\n\x0cFederal Deposit Insurance Corporation                                                            Office of Audits\n801 17th Street NW, Washington, DC 20434                                            Office of Inspector General\n\n\nDATE:                                      May 24, 2005\n\nMEMORANDUM TO:                             Michael E. Bartell\n                                           Chief Information Officer and\n                                           Director, Division of Information Technology\n\n\nFROM:                                      Russell A. Rau\n                                           Assistant Inspector General for Audits\n\nSUBJECT:                                   Implementation of E-Government Principles\n                                           (Report No. 05-018)\n\nThe Federal Deposit Insurance Corporation (FDIC) Office of Inspector General (OIG) has\ncompleted an audit of FDIC\xe2\x80\x99s implementation of E-Government principles. The objective of\nour audit was to determine whether the FDIC (1) adequately implemented E-Government\nprinciples in its operations and information exchange with FDIC-insured financial institutions\nand (2) complied with applicable portions of the Government Paperwork Elimination Act\n(GPEA). As discussed in detail in Appendix I, we limited the scope of our audit to obtaining\nan understanding of the Corporation\xe2\x80\x99s progress on E-Government initiatives after we\ndetermined that the FDIC had not developed an E-Government strategic plan.\n\nBACKGROUND\n\nE-Government is generally defined as the use of Internet-based technologies by government\nagencies to provide information and services to citizens, businesses, and other governmental\nagencies. E-Government initiatives are increasingly being leveraged as technological\nadvancements and rising citizen expectations set a standard for a more accessible, reliable,\nand streamlined government. Further, E-Government has been the subject of initiatives\nestablished and guidance issued by the President and the Office of Management Budget\n(OMB) and in legislation passed by the Congress in December 2002. The initiatives,\nguidance, and legislation, which are not always applicable to the FDIC, represent prudent\nbusiness practices (see discussion of applicability in Appendix I).\n\n\nPresident\xe2\x80\x99s Management Agenda\n\nIn 2001, the President initiated several government reform efforts, collectively referred to as\nthe President\xe2\x80\x99s Management Agenda (PMA), to make the federal government more results-\noriented, efficient, and citizen-centered. The PMA includes five broad initiatives:\n\n\xe2\x80\xa2    Human Capital\n\xe2\x80\xa2    Competitive Sourcing\n\xe2\x80\xa2    Improving Financial Performance\n\x0c\xe2\x80\xa2   Expanded E-Government\n\xe2\x80\xa2   Budget and Performance Integration\n\nThe goal of the PMA and E-Government initiatives is to eliminate redundant systems and\nsignificantly improve the government\xe2\x80\x99s quality of customer service for citizens and\nbusinesses. E-Government initiatives are (1) citizen-centered rather than bureaucratic or\nagency-centered, (2) results-oriented by producing measurable improvements for citizens,\nand (3) market-based by actively promoting innovation.\n\nOMB E-Government Strategy\n\nIn February 2002, OMB issued the E-Government Strategy, designating 24 high-profile\ninitiatives to lead the government\xe2\x80\x99s transition to E-Government. The 24 initiatives are\ndivided among 4 key portfolios:\n\n    \xe2\x80\xa2   Government to Citizen initiatives provide one-stop, on-line access to information\n        and services to citizens.\n    \xe2\x80\xa2   Government to Business initiatives help business interact efficiently and effectively\n        with the federal government.\n    \xe2\x80\xa2   Government to Government initiatives forge new partnerships among levels of\n        government. These partnerships should also facilitate collaboration between levels of\n        government and empower state and local governments to deliver citizen services more\n        effectively.\n    \xe2\x80\xa2   Internal Efficiency and Effectiveness initiatives apply industry\xe2\x80\x99s best practices to\n        government.\n\nE-Government Act of 2002\n\nThe President signed the E-Government Act of 2002 (Act) on December 17, 2002; most of\nthe Act\xe2\x80\x99s provisions became effective on April 17, 2003. The purpose of the Act was to\nenhance the management and promotion of electronic government services and processes by\nestablishing a federal Chief Information Officer (CIO) within the OMB and by establishing a\nbroad framework of measures that require using Internet-based information technology (IT)\nto enhance citizen access to government information and services. The Act, in essence,\ncodified the PMA, added new initiatives to previously established statutory requirements, and\nrequired federal agencies to follow OMB guidance on E-Government.\n\n\n\n\n                                                2\n\x0cOMB E-Government Act Guidance\n\nIn August 2003, OMB issued guidance on specific actions required under the Act.\nSpecifically, according to Implementation Guidance for the E-Government Act of 2002,\nagencies are expected to do the following:\n\n\xe2\x80\xa2       Define and deliver performance increases that matter to citizens \xe2\x80\x93 Agencies are to\n        develop performance measures for E-Government that are both citizen- and productivity-\n        related. The measures must be linked to the agency\xe2\x80\x99s Annual Performance Plan and\n        Strategic Plan and be used to meet agency objectives, strategic goals, and statutory\n        mandates in E-Government and IT.\n\n\xe2\x80\xa2       Communicate policies within and across agencies \xe2\x80\x93 The agency CIO will serve as the\n        primary official for assisting agency heads in implementing the Act and OMB guidance.\n\n\xe2\x80\xa2       Comply with section 508 to ensure accessibility \xe2\x80\x93 Agencies are to continue to comply\n        with section 508 of the Rehabilitation Act of 1973.1\n\nOther agency requirements include: making public regulations and rulemaking processes\nelectronically accessible, conducting assessments of effects on privacy issues in relation to\nnew IT investments and on-line information collections, and establishing and operating IT\ntraining programs for personnel.\n\nOMB Executive Branch Management Scorecard\n\nThe OMB Executive Branch Management Scorecard (Scorecard) tracks how well the\ndepartments and major agencies are executing the five PMA initiatives. The OMB Scorecard\nemploys a simple stoplight scoring system common today in well-run businesses, using green\nfor success, yellow for mixed results, and red for unsatisfactory results.\n\nWith regard to expanded E-Government, OMB is monitoring progress in the following areas\nto measure agencies\xe2\x80\x99 success.\n\n    \xe2\x80\xa2    Establishment of an Enterprise Architecture\n    \xe2\x80\xa2    Preparation of Business Cases for Major Systems Investments\n    \xe2\x80\xa2    Remediation of Security Weaknesses\n    \xe2\x80\xa2    Certification and Accreditation of Systems\n    \xe2\x80\xa2    Establishment of a Process and Plan for Implementing E-Government Initiatives\n\nThe specific standards for the expanded E-Government element of the Scorecard are in\nAppendix II. As of December 31, 2004, the OMB Scorecard showed that many of the\ndepartments and major agencies are making progress toward implementing the initiatives.\n\n\n\n1\n The FDIC is not required by law to comply with the provisions of the Rehabilitation Act of 1973 but does\nvoluntarily comply.\n\n\n                                                       3\n\x0cThe FDIC\xe2\x80\x99s Division of Information Technology and CIO Council\n\nThe FDIC\xe2\x80\x99s Division of Information Technology (DIT) has overall responsibility for the\nCorporation\xe2\x80\x99s IT activities and the E-Government initiatives. Also, the FDIC has established\na CIO Council to advise the CIO on all aspects of adoption and use of IT at the FDIC. The\nCouncil has taken a leadership role in developing a strategy for and implementing the\nCorporation\xe2\x80\x99s E-Government initiatives.\n\n\nRESULTS OF AUDIT\n\nThe FDIC had made progress in implementing various initiatives that are consistent with\nE-Government principles and implementing guidance from OMB. In addition, the\nCorporation had taken steps to develop a comprehensive E-Government strategic plan that\nwill be linked to associated corporate goals and objectives in areas addressed by OMB\xe2\x80\x99s\nScorecard and the E-Government Act guidance. Absent such a strategic plan, with\nappropriate linkages to corporate goals and objectives, the FDIC risked not efficiently and\neffectively planning, coordinating, and implementing E-Government initiatives.\n\n\nTHE FDIC\xe2\x80\x99S PROGRESS IN IMPLEMENTING E-GOVERNMENT\n\nThe FDIC had issued an IT strategic plan, had developed a high-level E-Government\nStrategy, and implemented, or was in the process of implementing, activities and information\nsystems that were consistent with E-Government principles and that addressed PMA\ninitiatives. However, the Corporation had not developed a comprehensive E-Government\nstrategic plan that included, or that was linked to, goals and objectives in areas outlined in the\nE-Government Act. Further, the Corporation had not finalized a process to implement\nappropriate E-Government initiatives. As a result, the FDIC risked not efficiently and\neffectively implementing the initiatives.\n\n\nEnterprise Architecture\n\n   Development of agency enterprise architectures will assist in building a\n   comprehensive business-driven blueprint of the entire federal government.\n   The development of this framework has and will continue to enable the federal\n   government to identify opportunities to leverage technology; reduce\n   redundancy; facilitate information sharing; establish a direct relationship\n   between IT and mission/program performance; and maximize IT investments\n   to better achieve mission outcomes.\n\n   Source: OMB\xe2\x80\x99s Expanding E-Government Results Report.\n\n\n\nDuring 2002, the FDIC began developing an enterprise architecture (EA) to establish a\ncorporate-wide roadmap for achieving the FDIC\xe2\x80\x99s mission within an efficient IT\n\n\n\n                                                  4\n\x0cenvironment. The FDIC\xe2\x80\x99s E-Government strategy is a component of the EA that focuses on\nservice delivery for the FDIC\xe2\x80\x99s internal and external customers. The FDIC\xe2\x80\x99s EA Framework\nis shown below.\n\n\nThe FDIC\xe2\x80\x99s Enterprise Architecture Framework\n\n\n\n\nSource: The FDIC\xe2\x80\x99s DIT.\n\n\n\nThe FDIC had taken the following actions in developing and implementing an EA:\n\n       \xe2\x80\xa2   Developed an EA Blueprint that defines, at a high level, the FDIC's current and\n           target EAs, including a security architecture.\n       \xe2\x80\xa2   Drafted a Security Standards Profile that identifies the security standards specific\n           to the security services specified in the EA.\n       \xe2\x80\xa2   Established a Technical Review Group for reviewing new and upgraded IT\n           security solutions.\n       \xe2\x80\xa2   Developed an EA Technical Reference Model that identifies and describes\n           security services throughout the Corporation.\n       \xe2\x80\xa2   Created checklists to facilitate the analysis of information security associated with\n           IT investments.\n       \xe2\x80\xa2   Issued formal policies for the FDIC\xe2\x80\x99s EA and Capital Planning and Investment\n           Management programs.\n       \xe2\x80\xa2   Continued the oversight of EA products and processes and evaluated proposed IT\n           investments for alignment with the information security architecture principles\n           contained in the EA Blueprint.\n       \xe2\x80\xa2   Initiated a pilot implementation of an EA Repository product to integrate\n           EA-related products and information currently housed in various FDIC systems\n           and data sources and establish an automated, comprehensive, accurate, and\n           dynamic baseline for the EA.\n       \xe2\x80\xa2   Implemented an on-line publication, The Architect, to communicate news and\n           information related to the EA program internally for FDIC employees.\n\n\n\n                                                 5\n\x0cBusiness Cases for Major Systems Investments\n\n           Business cases have clearly defined vision and outcomes, including\n           security linked to the department\xe2\x80\x99s or agency\xe2\x80\x99s mission through their\n           enterprise architecture with benefits far outweighing the costs.\n\n           Source: OMB\xe2\x80\x99s Expanding E-Government Results Report.\n\n\n\nThe FDIC had established a Capital Investment Review Committee (CIRC) that reviews all\nIT initiatives with capital outlays of more than $3 million. The CIRC also reviews certain\nother projects that cost less but are considered critical to the FDIC. The CIRC determines\nwhether a proposed investment is appropriate for consideration by the FDIC Board of\nDirectors and oversees approved investments throughout their life cycle. The FDIC Capital\nInvestment policy requires an executive sponsor for each IT capital investment to be\nresponsible for establishing a link between the recommended investment and the FDIC's\nstrategic goals and objectives. Further, the policy requires project teams to develop a project\nproposal (i.e., a business case) that documents the business needs of the project. Among\nother things, the business case must demonstrate financial soundness and alignment with the\nEA and provide support for the organization's business needs and the users' needs.\n\nIn February 2004, the FDIC created the CIO Council as one of the primary governance\nmechanisms for IT management. The CIO Council is composed of senior IT-focused\nexecutives from each of the FDIC\xe2\x80\x99s business line divisions. The Council is responsible for\nadvising the CIO in developing an enterprise perspective on corporate systems; assisting in\nthe development of an overall IT strategic plan; and reviewing IT initiatives, projects,\npriorities, and resources. The CIO Council is responsible for setting the strategic direction\nfor IT and, in concert with the CIRC, is responsible for reviewing and recommending IT\ninvestments by the Corporation.\n\n\nRemediation of Security Weaknesses\n\n          Agency submits quarterly status reports to OMB regarding remediation of\n          IT security weaknesses, and the Inspector General verifies the\n          effectiveness of the security remediation process.\n\n          Source: Expanded Electronic Government Scorecard Criteria.\n\n\n\nThe FDIC uses the Internal Risks Information System (IRIS) as its primary management tool\nfor monitoring and tracking the remediation of agency information security weaknesses.\nSpecifically, the FDIC uses IRIS to monitor and track the resolution of Government\nAccountability Office and FDIC Office of Inspector General audits, reviews, evaluations, and\nsurveys. The system contains Plans of Action and Milestones (POA&M) information\n(including findings, conditions, recommendations, corrective actions, and milestones) related\n\n\n\n                                                 6\n\x0cto information security weaknesses and tracks this information by audit, review, and\nevaluation. The FDIC assigned the Office of Enterprise Risk Management (OERM) primary\nresponsibility for administering IRIS. The FDIC\xe2\x80\x99s divisions and offices, in coordination with\nOERM, are responsible for maintaining current, accurate, and complete information in IRIS\nfor their respective business areas. OERM uses IRIS to generate periodic progress reports\nand briefings to FDIC management on the status of agency information security weaknesses.\n\nThe CIO is providing OMB with quarterly POA&M reports on the FDIC\xe2\x80\x99s progress in\ncorrecting its program-level security weaknesses. In August 2004, the FDIC began preparing\nsystem-level POA&Ms for its major applications and general support systems2 to track\nsecurity weaknesses identified through self-assessment reviews. We noted in our 2004\nFederal Information Security Management Act (FISMA) evaluation report that we were not\nable to perform sufficient testing to fully evaluate the system-level POA&Ms because they\nhad been recently implemented. We plan to perform a more detailed analysis of the FDIC\xe2\x80\x99s\nsystem-level POA&Ms as part of our 2005 FISMA evaluation work.\n\n\nCertification and Accreditation of Systems\n\n                Certification and accreditation ensures that information systems\xe2\x80\x99\n                security controls are implemented correctly and operating as\n                intended and that an agency official has authorized operation of the\n                system based on those security controls.\n\n                Source: National Institute of Standards and Technology.\n\n\nAs of September 30, 2004, the FDIC had established a baseline level of assurance for its\nmajor applications and general support systems by performing certifications and\naccreditations at a low level of assurance. At that time, the FDIC recognized that some of its\nmajor applications and general support systems required a higher degree of security\nassurance in order to be considered fully certified and accredited in accordance with the\nNational Institute of Standards and Technology (NIST) standards and guidelines. As of\nJanuary 2005, the FDIC expected to fully certify and accredit all major applications and\ngeneral support systems within 15 months in accordance with NIST standards and guidelines.\n\n\n\n\n2\n  A major application requires special attention to security due to the risk and magnitude of harm resulting from\nthe loss, misuse, or modification of or unauthorized access to information in the application. A general support\nsystem is an interconnected set of information resources under the same direct management control and that\nshares common functionality. Such a system normally includes hardware, software, data, applications,\ncommunications, and people.\n\n\n                                                         7\n\x0cOther Corporate Efforts to Promote E-Government\n\nThe FDIC had made significant strides in using technology to promote safety and soundness\nin the banking industry, protect consumers\xe2\x80\x99 deposits, and quickly resolve bank failures. To\nreduce reporting burdens and to share information more quickly and conveniently, the FDIC\nhad instituted several projects to promote E-Government. Synopses of various FDIC\nactivities follow.\n\n   \xe2\x80\xa2   FDICconnect. FDICconnect was designed for FDIC-insured institutions as an\n       Internet channel to conduct business and exchange information with the FDIC.\n       FDICconnect is designed to provide a secure e-business transaction channel to\n       support implementation of the GPEA, which requires agencies to provide on-line\n       consumer and business alternatives for paper-based processes when practicable. The\n       FDIC plans to expand the number of FDICconnect applications, making it the\n       standard electronic gateway for interactions with all insured institutions.\n\n   \xe2\x80\xa2   Virtual Supervisory Information on the Net (ViSION). ViSION provides\n       automated support for many aspects of bank supervision, including application\n       tracking, case management, safety and soundness examinations, IT examinations, off-\n       site monitoring, large bank analysis, management reporting, workload management,\n       and security. ViSION allows FDIC examiners to operate more efficiently by working\n       with electronic rather than paper-based information.\n\n   \xe2\x80\xa2   FDICSales.com. The FDICSales Web site provides customers with the convenience\n       of on-line access 24-hours a day to FDIC loan sales events. Customers can register\n       their preferences for the types of loans they are interested in purchasing, receive\n       electronic notification of sales matching their preferences, access detailed information\n       concerning the loans offered for sale, and submit bids to purchase the loans. Through\n       FDICSales.com, potential bidders can also review financial and other detailed\n       information and submit bids on a failing bank or thrift and on loan pools not sold\n       within a bank at the time of failure.\n\n   \xe2\x80\xa2   Call Report Modernization. Reports of Condition and Income (Call Report) are a\n       widely used source of timely and accurate financial data regarding a bank\xe2\x80\x99s condition\n       and the results of operations. The Call Report Modernization effort is an interagency\n       initiative that targets improvements in the compilation, collection, validation,\n       integration, and distribution of financial and demographic data related to FDIC-\n       insured institutions. The initial focus of the project has been on modernizing the\n       process through which the FDIC and other federal regulators acquire Call Report\n       data. The FDIC has taken a leadership position in the definition and implementation\n       of the Call Report Modernization initiative, collaborating closely with the Board of\n       Governors of the Federal Reserve System and the Office of the Comptroller of the\n       Currency.\n\n   \xe2\x80\xa2   Corporate Human Resource Information System (CHRIS). CHRIS includes a\n       new Web-based, employee self-service time and attendance system based on a\n\n\n\n                                                8\n\x0c       commercial off-the-shelf system designed specifically for use with the National\n       Finance Center payroll system. CHRIS will provide the FDIC with an integrated\n       system that supports all existing human resources functions with a focus on data\n       sharing, state-of-the-art computing technology, and the ability to grow and change\n       with the Corporation's business needs.\n\n\nProcess and Plan for Implementing E-Government Initiatives\n\n               Agencies have established a process and plan for\n               implementing all of the E-Government initiatives rather\n               than creating redundant or agency-unique IT projects.\n\n               Source: Expanded Electronic Government Scorecard\n               Criteria.\n\n\nAs discussed earlier, the FDIC had taken initiatives and developed systems that were in line\nwith E-Government principles; however, these systems and initiatives were separate\ndevelopment efforts rather than the fulfillment of a comprehensive plan. In September 2002,\nthe FDIC published the FDIC E-Government Strategy, which defined the FDIC\xe2\x80\x99s strategy for\nE-Government service delivery and presented the critical supporting factors required to\nimplement E-Government initiatives. However, this document did not discuss goals and\nobjectives or desired outcomes.\n\nKey to managing any successful IT program is establishing IT goals and objectives,\nmeasuring performance, and evaluating and reporting results to senior management.\nMeasuring performance against established goals and objectives is a fundamental principle of\nthe Government Performance and Results Act (GPRA) of 1993. In addition, OMB Circular\nNo. A-130, Management of Federal Information Resources, requires agencies to institute\nperformance measures and management processes that monitor actual performance against\nexpected results.\n\nThe FDIC submitted a status report to OMB documenting the FDIC\xe2\x80\x99s progress in achieving\nE-Government. Specifically, the FDIC\xe2\x80\x99s June 26, 2003 progress report to OMB stated that\nthe Corporation had completed development of an E-Government strategic plan that defines\nthe FDIC\xe2\x80\x99s broad E-Government vision and mission, the FDIC\xe2\x80\x99s objective in developing\nE-Government, and the foundations needed to establish E-Government and barriers to its\nacceptance and implementation. However, in December 2004, DIT officials noted that the\nstrategic plan had not been updated since it was prepared in September 2002 and that this\ninitial effort had been general in nature. Consistent with the DIT officials\xe2\x80\x99 views, we found\nthat the 2002 strategic plan did not include specific goals for the FDIC\xe2\x80\x99s E-Government\ninitiatives, the resources needed, strategies to be followed, assigned responsibilities, or\n\n\n\n\n                                                9\n\x0cperformance measures for tracking accomplishments. Further, the plan was not supported by\nor linked to corporate goals and objectives established under GPRA or the Corporate\nPerformance Objectives (CPO).3\n\nIn August 2004, the FDIC issued the Information Technology Strategic Plan: 2004\xe2\x80\x932007 (IT\nStrategic Plan). The IT Strategic Plan is one tool that the Corporation uses to set its strategic\ndirection for IT. The purpose of the IT Strategic Plan is to align IT with the FDIC\xe2\x80\x99s mission,\nvision, and business goals and to establish the overall goals and direction for the IT Program\nat the FDIC. The IT Strategic Plan describes how IT helps accomplish the FDIC\xe2\x80\x99s mission.\nThe IT Strategic Plan also outlines many of the projects and programs, such as ViSION and\nFDICSales.com, that support the E-Government initiative and considers IT support for\n\xe2\x80\x9cExpanded Electronic Government\xe2\x80\x9d as a means to operate more efficiently and effectively.\nLike the FDIC E-Government Strategy, the IT Strategic Plan does not specifically identify\nmeasures for implementing the expanding E-Government initiatives and does not contain\ngoals, performance measures, objectives, and desired outcomes consistent with those\ninitiatives.\n\nDuring our review, the Corporation established a CPO in December 2004 to develop and\nimplement a new E-Government strategy. The strategy will promote a paperless corporate\nenvironment in which the majority of transactions and data and document storage are handled\nelectronically. The FDIC also established a working group that developed a scoping\nstatement that was approved by the CIO Council and a draft project plan to guide\ndevelopment of the E-Government strategic plan. The scoping statement addresses\nperformance measures related to only one initiative -- promoting a paperless environment.\nThe project plan does not specifically address either performance measures or desired\noutcomes for the E-Government initiatives.\n\nConclusion\n\nThe FDIC had been actively identifying, evaluating, and implementing various policies,\nprocedures, and technologies that are consistent with the goals and principles of the\nE-Government initiatives and implementing OMB guidance. However, the FDIC needed to\nbetter coordinate and measure its efforts through the timely development of a strategic plan\nthat is linked to corporate objectives and goals specifically addressing E-Government. The\nplan, objectives, and goals would assist the Corporation in making steady progress in various\naspects of E-Government, minimizing redundant systems or processes, and undertaking\ninitiatives that are cost-beneficial.\n\nAt our exit conference, DIT officials indicated that the Corporation has established a\nmilestone of December 31, 2005 for the CIO Council to approve a new E-Government\nstrategic plan.\n\n\n3\n The FDIC initiated the CPOs in 2002, which set an overall direction for the Corporation and go beyond the\noperational goals established in the Corporation\xe2\x80\x99s Annual Performance Plan sent to the Congress and OMB.\nThe CPOs are established each year during the annual corporate planning and budget process, subject to final\napproval by the Chairman.\n\n\n                                                       10\n\x0cThe actions taken by the Corporation during and subsequent to our review, together with its\nplanned actions, adequately address our finding. Thus, we are not making any\nrecommendations. We suggest, however, that in completing the new E-Government strategic\nplan, the Corporation be mindful of the August 2003 OMB E-Government Act guidance that\nE-Government performance measures must be linked to the Corporation\xe2\x80\x99s Annual\nPerformance Plan and Strategic Plan and desired outcomes of E-Government must be\nidentified.\n\n\nCORPORATION COMMENTS AND OIG EVALUATION\n\nWe provided FDIC management with a draft of this report on April 14, 2005. The draft\nreport included two recommendations associated with establishing an E-Government\nstrategic plan. Subsequent to issuance of the draft report, we held an exit conference with\nmanagement to discuss our findings and proposed recommendations. As discussed earlier in\nthis report, management provided us with additional information regarding several actions it\nhad taken during and after our review, as well as planned actions, that adequately addressed\nour concerns regarding the need for an E-Government strategic plan. As a result, we made\nappropriate changes to the final report, including eliminating the recommendations. We\nprovided management with a revised version of the draft report reflecting those changes and\na written response was not required. DIT notified the OIG that it had no official comments\non the revised draft report.\n\n\n\n\n                                               11\n\x0c                                                                              APPENDIX I\n\n                    OBJECTIVE, SCOPE, AND METHODOLOGY\n\nThe objective of our audit was to determine whether the FDIC (1) adequately implemented\nE-Government principles in its operations and information exchange with insured financial\ninstitutions and (2) complied with applicable portions of the GPEA. The audit was\nconducted from December 2004 through March 2005 in accordance with generally accepted\ngovernment auditing standards. The scope of our audit work was limited to obtaining an\nunderstanding of the Corporation\xe2\x80\x99s progress on E-Government initiatives because the FDIC\nhad not developed a comprehensive E-Government strategic plan. We used areas in OMB\xe2\x80\x99s\nScorecard tracking system to assess the FDIC\xe2\x80\x99s progress in implementing E-Government.\n\nRegarding GPEA, the FDIC has developed several applications and initiatives that have been\ndesigned to reduce paperwork or streamline processes internally and externally. Because we\nlimited the scope of our audit, we did not determine whether these initiatives fully comply\nwith the intent of the Act. However, we verified that the FDIC submitted its progress report\nto OMB, describing the Corporation\xe2\x80\x99s progress in complying with GPEA.\n\nTo accomplish our objective, we reviewed numerous documents including:\n\n   \xe2\x80\xa2   Public Law 107-347, also referred to as the E-Government Act of 2002;\n   \xe2\x80\xa2   OMB\xe2\x80\x99s E-Government Strategy, dated February 27, 2002;\n   \xe2\x80\xa2   Public Law 105-277, Government Paperwork Elimination Act;\n   \xe2\x80\xa2   OMB\xe2\x80\x99s E-Government Strategy, dated April 2003;\n   \xe2\x80\xa2   OMB\xe2\x80\x99s Implementation Guidance for the E-Government Act of 2002, dated\n       August 2003;\n   \xe2\x80\xa2   OMB\xe2\x80\x99s Expanding E-Government, Partnering for a Results-Oriented Government,\n       dated December 2004;\n   \xe2\x80\xa2   OMB\xe2\x80\x99s Executive Branch Management Scorecard;\n   \xe2\x80\xa2   Public Law 103-62, Government Performance and Results Act;\n   \xe2\x80\xa2   OMB Circular No. A-130, Management of Federal Information Resources;\n   \xe2\x80\xa2   the FDIC E-Government Strategy, dated September 2002;\n   \xe2\x80\xa2   FDIC\xe2\x80\x99s Information Technology Strategic Plan: 2004-2007; and\n   \xe2\x80\xa2   FDIC\xe2\x80\x99s CIO Council E-Government Strategy Project Plan Draft.\n\n\nApplicability of Initiatives, Guidance, and Legislation to the FDIC\n\nIn conducting this audit we considered the PMA, portions of which were codified in the\nE-Government Act of 2002 enacted December 17, 2002. While the PMA may not be binding\non the FDIC, many of the provisions of the E-Government Act are binding on the FDIC. Our\nreview focused on title II of the Act, Federal Management and Promotion of Electronic\nGovernment Services, because of its applicability to this audit. Under the Act, OMB has\nauthority to issue guidance to implement the Act\xe2\x80\x99s provisions, and such guidance is, in\ngeneral, binding on the FDIC. Accordingly, OMB\xe2\x80\x99s August 2003 Implementation Guidance\n\n\n                                              12\n\x0c                                                                                   APPENDIX I\n\nfor the E-Government Act of 2002 appears to be binding on the FDIC. OMB\xe2\x80\x99s February\n2002 E-Government Strategy predates the E-Government Act and does not reference any\nother statutory or regulatory authorities for its issuance and thus is not legally binding on the\nFDIC. OMB\xe2\x80\x99s Scorecard has been used to track the progress of various departments and\nagencies, but has not included the FDIC.\n\nWhile OMB\xe2\x80\x99s pronouncements discussed above may or may not be legally binding on the\nFDIC, we believe they represent prudent business practices that the FDIC should consider in\nits E-Government efforts. Accordingly, we employed those pronouncements, particularly the\nScorecard analysis, in performing this audit.\n\nGPRA, Reliance on Computer-Generated Data, Fraud and Illegal Acts, and\nManagement Controls\n\nWe tested compliance with the GPRA by determining whether the FDIC had established\nperformance measures related to E-Government initiatives. The limited nature of the audit\ndid not require testing internal controls or reviewing the reliability of computer-processed\ndata obtained from the FDIC\xe2\x80\x99s computerized systems. Such data was not significant to our\naudit findings and conclusions. During the audit, we were alert for instances of fraud and\nillegal acts, but found none.\n\n\n\n\n                                                 13\n\x0c                                                                                                                                                                     APPENDIX II\n\n                                                             EXPANDED ELECTRONIC GOVERNMENT\n\n\nAgency:                                                      Agency:                                                         Agency:\n\xe2\x80\xa2   Has an Enterprise Architecture linked to the Federal     \xe2\x80\xa2   Has an Enterprise Architecture linked to the FEA rated      \xe2\x80\xa2   Does not have an Enterprise Architecture linked to the\n    Enterprise Architecture (FEA) rated \xe2\x80\x9ceffective\xe2\x80\x9d using        \xe2\x80\x9ceffective by using OMB\xe2\x80\x99s EA Assessment tool (score of          FEA that \xe2\x80\x9ceffective\xe2\x80\x9d by using OMB\xe2\x80\x99s EA Assessment tool\n    OMB\xe2\x80\x99s EA Assessment tool (score of \xe2\x80\x9c3\xe2\x80\x9d on both EA            \xe2\x80\x9c3\xe2\x80\x9d on both EA Maturity and Degree of Alignment);               (score of \xe2\x80\x9c3\xe2\x80\x9d);\n    Maturity and Degree of Alignment);                       \xe2\x80\xa2   Has acceptable business cases (security, measures of        \xe2\x80\xa2   Does not have acceptable business cases (security,\n\xe2\x80\xa2   Has acceptable business cases (security, measures            success linked to the EA, program management, risk              measures of success linked to EA, program\n    of success linked to the Enterprise Architecture,            management, and cost, schedule and performance                  management, risk management, and cost, schedule and\n    program management, risk management, and cost,               goals) for more than 50% of its major systems                   performance goals) for more than 50% of its major\n    schedule, and performance goals) for all major               investments;                                                    systems investments;\n    systems investments;                                     \xe2\x80\xa2   Submits security reports to OMB that document               \xe2\x80\xa2   Has not submitted Security Reports to OMB that\n\xe2\x80\xa2   Has demonstrated using EVM or operational                    consistent security improvement and either:                     document consistently security improvement and cannot\n    analysis, cost and schedule overruns, and                    o 80% of all IT Systems are properly secured; OR                demonstrate that:\n    performance shortfalls, that average less than 10%           o Inspector General verifies the effectiveness of the           o 80% of all IT systems are properly secured; OR\n    for all major IT projects;                                      Department-wide IT Security Plan of Action and               o Inspector General has verified the effectiveness of\n\xe2\x80\xa2   Submits quarterly status reports in remediating IT              Milestone Remediation Process:                                  the Department-wide IT Security Plan of Action and\n    security weaknesses;                                     \xe2\x80\xa2   Has cost and schedule overruns, and performance                    Milestone Remediation Process;\n\xe2\x80\xa2   Inspector General verifies the effectiveness of the          shortfalls, that average less than 30% for all major IT     \xe2\x80\xa2   Has cost and schedule overruns, and performance\n    Department-wide IT Security Remediation Process;             projects; AND                                                   shortfalls, that average 30% or more; OR\n\xe2\x80\xa2   Has 90% of all IT systems properly secured (certified    \xe2\x80\xa2   Has established a process and plan for implementing all     \xe2\x80\xa2   Has not established a process and plan for\n    and accredited); AND                                         of the appropriate E-Gov initiatives rather than creating       implementing all of the appropriate E-Gov initiatives\n\xe2\x80\xa2   Has implemented all of the appropriate E-Gov                 redundant or agency unique IT projects                          rather than creating redundant or agency unique IT\n    initiatives rather than creating redundant or agency                                                                         projects.\n    unique IT projects.\n\n\xe2\x80\xa2    To maintain green status, agency:\n\xe2\x80\xa2    Has ALL IT systems certified and accredited;\n\xe2\x80\xa2    Has IT systems installed and maintained in\n     accordance with security configurations; AND\n\xe2\x80\xa2    Has consolidated and/or optimized all agency\n     infrastructure to include providing for continuity of\n     operations.\n\nSource: Reproduced from OMB.\nNote: Earned Value Management (EVM) is operational analysis of cost overruns and performance shortfalls to average less than 10 percent of an IT portfolio.\n\n\n\n\n                                                                                          14\n\x0c"